Hi;

We're an organisation moving from a very heterogeneous software estate to something based more on reusable services and workflow. As a tiny part of this transition I'm looking to build a generic model of Active Directory role based authorisation that can be used across applications, services and blackpearl.

One of the models under consideration is based on simple AD security groups. I'd like the code to be transportable across environments (dev, sat, uat, prod &c) without code or major configuration changes, and for it to be possible to differentiate between roles within a single AD domain.

Here's an example of what I mean:

For a service running in the DEV environment...

String environment = GetEnvironmentString();  // "DEV"

if (!amInGroup(environment + @"-HR-CV-READER"))

{

          throw(...)

}

so a developer who could use this code would have to be in an AD group called "DEV-HR-CV-READER", and someone who actually *was* in HR would be a member of "PROD-HR-CV-READER".

The question is this:  is there any way of mapping this sort of model to AD based groups for task allocation in blackpearl?  Has anyone out there had to address this class of problem?

jd